Behavior Blockers and HIPS

Discussion in 'other anti-malware software' started by Pfipps, Sep 26, 2007.

Thread Status:
Not open for further replies.
  1. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I have been trying out SSM and Defensewall, are these programs interchangeable (do they do the same things?). Do I need a dedicated firewall with SSM, or can I just use the Vista Home Premium firewall? with Defense wall? I currently run NOD32 and find SSM way too noisy...I don't understand every notification, I usually test the MD5 signature and look for (Microsoft Corporation) for svchost.exe, for example.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    SSM is a (classical) HIPS and DefenceWall is a policy-based sandbox.

    Yes you need a firewall; the Vista Firewall is enough.

    DefenceWall unlike SSM is not noisy. Just add your browsers, email, IM and other internet utilities to the untrusted list and youre all set.
     
  3. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    Is Geswall similar to SSM? Primary Response Safe Connect seems really good from the PC Mag Review. Do I really need both DefenseWall and SSM at the same time?
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pfipps,

    GeSWall is more or less the same as DefenseWall. EQSecurity (free) is the same (and as strong) as SSM Pro and Prosecurity Pro (both paid). Like WFUser said DW and GW are policy based HIPS (sandboxes), theydo not throw pop-ups at you, but protect silently.
    While EQS, SSM and PS are classical HIPS. They respond to each anomoly and will warn you when an unknown program tries to start, downside is that they are noisy when you start using them. So you have to answer a lot of questions or leave the learning mode on for some time. After initial use the pop-ups will disappear.

    When you want hassle free (install and forget) use DefenseWall. Occasionally you will download a program. When you try that program out, you have to run this as a trusted program. When you tell DefenseWall this is a trusted program, it will leave it alone. For this cases you will need your Antivirus (will warn you when you download it). Problem with AV's is that they only protect against known threats. New threats (called zero day threats), might (<0,1% chance) not be known. To protect you in this cases (trying out a new program, downloaded from the internet), you might want some extra protection.

    Behavioral Blockers such as ThreatFire, A2 Malware with its IDS and Primary Response Safe Connect, will warn you when something strange is happening.

    - Primary Response Safe Connect, abbreviated to PRSC (paid):
    Will not only warn, but also take counter measures
    - A2 Malware with IDS (paid):
    Will warn you, with a very clear message, plus it has intelligent false
    positive reduction, so you will get very few warnings. It is designed to
    run on Vista32, so it does not protect you against some registry intrusions
    of worms (because the UAC of Vista covers that).
    - ThreatFire
    The free version is the former CyberHawk Pro, has the advantage that
    you can enter your own custom rules (see this forum), the down side is
    that it will only give you a warning and you have to make the decision.

    So when you want to save money, choose ThreatFire. When you are willing to pay for the extra ease of use, choose A2 or PRSC. When you have a free Antivirus like Antivir free, A2 is the best deal, because it also has a resident on demand anti-malware blacklist. When you have a paid AV-package (e.g. Antivir Premium) including anti-malware blacklist), PRSC is a good option. For Vista64 PRSC is the only option from these three.

    The Vista Fire wall together with the free utility Vista Fire Wall Control will problably do (check this forum and see that BigC a former moderator of Wilders is quite happy with it, so trust the advice of WFuser).

    Hope this helps.

    Regards Kees
     
    Last edited: Sep 27, 2007
  5. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    Thanks for the information. It's just that I have only begun looking at HIPS since I really never thought about them. There are so many types from many companies I don't know that I tend to feel that I can't measure a company's reputation. I stopped using my Zone Alarm Pro and went the anti-virus/Windows Firewall/anti trojan/anti spyware/HIPS route thinking that it would actually be a better setup since I am not relying on one vendor for protection outside of my anti-virus (although NOD32 has excellent heuristics).
     
Loading...
Thread Status:
Not open for further replies.